dovecot-2.3.16-6.el8_10

エラータID: AXSA:2024-8878:05

Release date: 
Thursday, October 3, 2024 - 13:25
Subject: 
dovecot-2.3.16-6.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages.

Security Fix(es):

* dovecot: using a large number of address headers may trigger a denial of service (CVE-2024-23184)
* dovecot: very large headers can cause resource exhaustion when parsing message (CVE-2024-23185)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-23184
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.
CVE-2024-23185
Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known.

Solution: 

Update packages.

CVEs: 
CVE-2024-23184
Having a large number of address headers (From, To, Cc, Bcc, etc.) becomes excessively CPU intensive. With 100k header lines CPU usage is already 12 seconds, and in a production environment we observed 500k header lines taking 18 minutes to parse. Since this can be triggered by external actors sending emails to a victim, this is a security issue. An external attacker can send specially crafted messages that consume target system resources and cause outage. One can implement restrictions on address headers on MTA component preceding Dovecot. No publicly available exploits are known.
CVE-2024-23185
Very large headers can cause resource exhaustion when parsing message. The message-parser normally reads reasonably sized chunks of the message. However, when it feeds them to message-header-parser, it starts building up "full_value" buffer out of the smaller chunks. The full_value buffer has no size limit, so large headers can cause large memory usage. It doesn't matter whether it's a single long header line, or a single header split into multiple lines. This bug exists in all Dovecot versions. Incoming mails typically have some size limits set by MTA, so even largest possible header size may still fit into Dovecot's vsz_limit. So attackers probably can't DoS a victim user this way. A user could APPEND larger mails though, allowing them to DoS themselves (although maybe cause some memory issues for the backend in general). One can implement restrictions on headers on MTA component preceding Dovecot. No publicly available exploits are known.
Additional Info: 

N/A

Download: 

SRPMS
  1. dovecot-2.3.16-6.el8_10.src.rpm
    MD5: a214b27421976df9cc92e5dbc0c90365
    SHA-256: 698fb06e79a52abffc991721ba61d3251d88489154af48ecf36eb4c6aa9640b3
    Size: 9.23 MB

Asianux Server 8 for x86_64
  1. dovecot-2.3.16-6.el8_10.i686.rpm
    MD5: 6b2055a2dbf81aeeb191f39738e35d97
    SHA-256: 8b1dddc99780d650b289f8fae14702ec816721da3ae0145bb04eddc523cd3d44
    Size: 5.62 MB
  2. dovecot-2.3.16-6.el8_10.x86_64.rpm
    MD5: e24be458765dd923d53ff313ab5c6ffd
    SHA-256: 45feecf2c92a5c3ee8b257548ff728d5765dca4e385f18aa5c8fdb42a5b74bff
    Size: 5.22 MB
  3. dovecot-devel-2.3.16-6.el8_10.i686.rpm
    MD5: 5b1b7c7139142b438ad367f691d50653
    SHA-256: d3815d1111cff4fe2a6530c73a63932cced499ff146f1c9cf4b96f22b2a98848
    Size: 582.16 kB
  4. dovecot-devel-2.3.16-6.el8_10.x86_64.rpm
    MD5: b3eed1066dd491cc45e42368e742aaf6
    SHA-256: be3ae033b3a8658ed24eaeacd84dfb744787c092b36026918b28f54f9aeb1bcb
    Size: 582.16 kB
  5. dovecot-mysql-2.3.16-6.el8_10.x86_64.rpm
    MD5: e83ad5fdde48070122e249f979e444ab
    SHA-256: 97c35dae244f24b0dfa43d29f47c5b8199c66e5755f668261133af7d47517854
    Size: 101.09 kB
  6. dovecot-pgsql-2.3.16-6.el8_10.x86_64.rpm
    MD5: a98bf80f9238aba0280cc4c34a9c0021
    SHA-256: c4e6bff97ca0e30052b69a705e13a137c64c73900de03ea5f0d59c4f7e1048f1
    Size: 104.36 kB
  7. dovecot-pigeonhole-2.3.16-6.el8_10.x86_64.rpm
    MD5: 9bf78b0a4f2d9638a6d3ff763d22be28
    SHA-256: c7af57f55dd1d043402be5d2b150ed71dca3664c495b05f4410813188fe672d3
    Size: 484.23 kB